What tool shows /proc/net/nf_conntrack
Tom H
tomh0665 at gmail.com
Sun Aug 28 05:17:56 UTC 2011
On Sat, Aug 27, 2011 at 7:50 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> On Sat, 27 Aug 2011 19:46:12 -0400
> Sam Varshavchik <mrsam at courier-mta.com> wrote:
>>
>> I forwarded a port, using system-config-firewall.
>>
>> The destination machine, not surprisingly, shows the IP address of
>> the firewall as the source of the connection. The goal is obtaining
>> the connection's real source IP. However, on the firewall the
>> forwarded connection isn't reported anywhere by netstat or ss.
>
> This is a DNAT forward? it should show the IP of whatever machine is
> sending the request, not the firewall box in the middle.
>
>> After poking around, I found what I was looking for in
>> /proc/net/nf_conntrack. The forwarded connection was listed there,
>> showing the connection's real source IP.
>>
>> But grepping through /proc/net/nf_conntrack seems to be rather
>> quaint. Neither netstat's nor ss's man page hint at any option that
>> would report on /proc/net/nf_conntrack in some user-friendly fashion.
>> Is there some other admin utility that does?
>
> conntrack-tools has a 'conntrack' command line tool.
KF1: You missed "on the firewall."
KF2: Thanks, didn't know about "conntrack".
OP: You can make iptdables log your forwarding rule; that log *might*
be more convenient than "/proc/net/nf_conntrack".
More information about the users
mailing list